Blocking emails to role accounts: Good idea? (Updated for 2024)


Do you block email signup attempts from role accounts? If not, I think you should consider it.

What's a role account, you might ask? It's an email that has a username part (the part to the left of the @ sign) that is commonly reserved for either a system function or administrative role.

RFC 2142 is a great place to start to look for a list of common role accounts. It lists these common usernames: info, marketing, sales, support, abuse, noc, security, postmaster, hostmaster, usenet, news, webmaster, www, uucp, and ftp.

By "blocking email attempts from these role accounts" I mean any signup forms you maintain should deny submission of (or at least treat suspiciously) addresses like security@spamresource.com, security@xnnd.com, security@wombatmail.com (or security@ any domain). The theory being that these are either accounts that are made for specific role or departments, not people, and people should be opting-in only themselves when it comes to an email list subscription.

If I know that a sender has "ftp@wombatmail.com" on their mailing list, I can pretty well guess that they made that address up to try to spam it, and it's not likely to have legitimately opted-in.

From an ESP's perspective, the ESP can catch a subset of bad actor clients by looking for how many instances of these "role" email addresses a client may have on their list. It's easy to create a list of these programmatically. A bad guy trying to prospect through sending spam could easily just try to send email to security@(every domain) for every single domain name he or she knows about.

And configuring signup forms to reject mail to these addresses is potentially in your best interest, if you're a web designer or email campaign manager. If somebody fills out a form with one of these address, there's a good chance the intent isn't good; it could be somebody feeding purchased addresses or scraped data into your list (bad guys sometimes do this to see what they can get away with, as a sort of "poor man's email verification"), or it could be an attempt to "forge subscribe" an unrelated party, or to try to make mail go to a spam trap address. Either way it causes the email sender nothing but problems. (Maybe not at first, but it builds up like dirt, and eventually you end up with enough dirt to start causing big, dirty problems.)

Some ESPs and email platforms do block mail to, or signups from, these role accounts today. If you're not sure if this the case with the one you use, ask them to confirm. Not all platforms announce this publicly.

In the B2B realm (especially the small business end of the B2B realm), some folks might suggest that mail be allowed to "info, marketing, sales and support" as some small companies do indeed use addresses like sales@(domain) to sign up for various email lists or as the contact email address for their company during purchases of goods or services. My suggestion to you is that if you do manage a small business, don't use these addresses when signing up for lists or purchasing things. You'll run into situations where some email vendors block them, and you'll probably get some level of B2B spam via spammers mis-using email platforms that don't block them.

Many mail providers reject or block mail to role accounts, including MailjetCakemailSalesforce Marketing Cloud, and others. Some platforms allow sending to role accounts, but apply greater scrutiny to the signup process or address.

[ H/T: Keith Kouzmanoff ]
Post a Comment

Comments